Security Notification CVE-2014-4036 (Low Impact)

Recently, a new security notification had been submitted to CVE without the project being notified beforehand. This has been rectified, and we are preparing the appropriate files for release.

Low Risk Vulnerability

The vulnerability in itself is low risk, as it requires the attacker to have an ImpressCMS account that has been granted access to the list page of the image manager. That can be done for each category separately in Control Panel > Media > Image Manager. You should also be sure to check general access to the Image Manager for each group.

Contrary to some reports (such as the one on NVD), it cannot be exploited without authentication.

Temporary Patch Available

Webmasters that want to patch the vulnerability before we can release the patched versions can already use the appropriate file for their version of ImpressCMS and overwrite it on their system by unzipping in the ImpressCMS Root folder:

New versions upcoming

New versions that integrate the fix, once it is validated, will be posted on the website as soon as possible, along with a notification campaign that urges everyone to upgrade to the latest version. To be on the safe side, we have requested confirmation about the fix from another security researcher that we've worked with in the past.

Focus remains on Security

Security is one of our big concerns when developing and maintaining ImpressCMS. It is also one of the reasons our partners and customers choose to work with the project. Each time a security issue is found, we learn something for the future.

This incident has prompted us to be more proactive in looking for vulnerability reports on social media.